← Lessons

quiz vs the machine

Gold1340

Security

The Salting And Peppering

How a unique salt defeats rainbow tables and a secret pepper adds a second layer.

4 min read · core · beat Gold to climb

The Problem With Bare Hashes

If everyone hashes passwords the same way, identical passwords produce identical hashes, and attackers precompute giant rainbow tables mapping common passwords to their hashes.

Salting

A salt is a unique random value stored alongside each hash and mixed into the input. Because each user gets a different salt:

  • Identical passwords hash to different values.
  • Precomputed tables become useless, since they would need a table per salt.
  • The salt is not secret, only unique.

Peppering

A pepper is a single secret value added to every password before hashing, but kept outside the database, often in application config or a hardware module. If the database leaks but the pepper does not, the stolen hashes are far harder to crack.

Using Both

Modern password functions handle the salt for you. The pepper is an extra defense in depth, valuable only if it is stored separately from the hashes.

Key idea

A unique per user salt defeats rainbow tables by making identical passwords hash differently, while a separately stored secret pepper adds defense in depth if the database alone is stolen.

Check yourself

Answer to earn rating on the learn ladder.

1. What attack does a salt primarily defeat?

2. How does a salt differ from a pepper?

3. Why must the pepper be stored separately from the hashes?